Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
TCP: 1050 -> 18190 ...PA. seq=bf8bc98e ack=941b05bc<br />
Figure 9: Reading <strong>fw</strong> moni<strong>to</strong>r output – second line<br />
The second line tells us that this is an TCP payload inside the IP packet which was sent from port 1050 <strong>to</strong><br />
port 18190. The following element displays the TCP flags set (in this case PUSH and ACK). The last two<br />
elements are showing the sequence number (seq=bf8bc98e) of the TCP packet and the acknowledged<br />
sequence number (ack=941b05bc). You will see similar information for UDP packets.<br />
! You will only see a second line if the transport pro<strong>to</strong>col <strong>use</strong>d is known <strong>to</strong> <strong>fw</strong> moni<strong>to</strong>r. Known<br />
pro<strong>to</strong>cols are for example TCP, UDP and ICMP. If the transport pro<strong>to</strong>col is unknown or can not be<br />
analyzed beca<strong>use</strong> it is encrypted (e.g. ESP or encapsulated (e.g. GRE) the second line is missing.<br />
<strong>How</strong> does <strong>fw</strong> moni<strong>to</strong>r work?<br />
In contrast <strong>to</strong> other capturing <strong>to</strong>ols like snoop or tcpdump, <strong>fw</strong> moni<strong>to</strong>r does not <strong>use</strong> the promiscuous<br />
mode on network interface cards. Based on the fact that FireWall-1 already receives all packets (due <strong>to</strong><br />
the FireWall-1 kernel module between NIC driver and IP stack) <strong>fw</strong> moni<strong>to</strong>r <strong>use</strong>s it’s own kernel module<br />
<strong>to</strong> capture packets (compared <strong>to</strong> filtering/encrypting them).<br />
Unlike snoop or tcpdump, <strong>fw</strong> moni<strong>to</strong>r has the ability <strong>to</strong> capture packets at different positions (refer <strong>to</strong><br />
Capture position for more information about the four locations) in the FireWall-1 kernel module chain.<br />
snoop and tcpdump are capturing packets when they enter or leave the computer. Especially when NAT<br />
with FireWall-1 is involved <strong>fw</strong> moni<strong>to</strong>r offers the possibility <strong>to</strong> capture packets at multiple locations (e.g.<br />
after the FireWall Virtual in inbound direction). This can help you <strong>to</strong> see how the packets are translated by<br />
the firewall and on which IP address the routing decission is made.<br />
<strong>How</strong> <strong>to</strong> <strong>use</strong> <strong>fw</strong> moni<strong>to</strong>r Page 13 of 70<br />
Revision: 1.01